n Apple v. Superior Court of Los Angeles ex rel Krescent, the Supreme Court of California examined whether online transactions fall within the scope of a 1971 credit card act that prevents retailers in California from requesting personal identification information. An important milestone in what is likely to be an extended wave of decisions in this area, the case explores the tension between consumer privacy concerns against measures to combat online transaction fraud within the framework of outdated legislation.
A California resident sued Apple on behalf of himself and similarly situated persons. He complains that when purchasing media using a credit card from Apple’s online store, he is required to provide personal identifying information, in violation of California’s Song-Beverly Credit Card Act of 1971 (the “Act”). This Act governs the issuance and use of credit cards in California and Section 1747.08 prohibits, among other restrictions, retailers from “requesting, or requiring as a condition to accepting the credit card as payment…, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.” Apple filed a demurrer , arguing that the Act does not apply to online transactions and that deciding otherwise would undermine the prevention of identity theft and fraud. The trial court overruled the demurrer, and Apple filed a petition for writ of mandate seeking review of the trail court’s order, which was denied. The Supreme Court of California granted Apple’s petition to review
The question before the California Supreme Court was whether section 1747 of the Act applies to online (as well as brick-and-mortar) transactions. The Court began its analysis by looking at the plain text of the statute, and determined that section 1747.08 makes no reference to online transactions or the Internet. Despite both parties arguing that the plain language supported their respective position, the Court held that the text alone was “not decisive” on the issue and found it is necessary to look at “the statutory scheme as a whole.”
Looking at the statutory scheme, the Court stated that the Act was enacted to protect consumer privacy. Moreover, the legislature was particularly concerned with addressing retailers’ practice of leading consumers to mistakenly believe that collecting personal information is a necessary condition to complete a credit card transaction, when in fact that information was collected for marketing efforts, or to sell to a third party. Since the Legislature did not wish to expose retailers to fraud, it only prohibited the collection of personal information after close analysis revealed it not to be an essential step in preventing fraud.
Turning to the question at issue, the Court remarked that many of the fraud-prevention techniques available to brick-and-mortar retailers are not available to online retailers. Unlike with a physical transaction, an online retailer cannot visually inspect a credit card, the signature on the back, or the customer’s photo identification. Accordingly, the Court concluded, the key antifraud mechanism in section 1747.08 “has no practical application to online transactions involving electronically downloadable products.”
In response to the Plaintiff’s argument that a customer’s name, credit card number, card expiration date and card identification number should be sufficient to prevent fraud without collecting further information, the Court stated that the Legislature clearly disagreed by permitting physical businesses to request photo ID or a driver’s license. Since an online retailer cannot inspect a driver’s license, not correspond a driver’s license number to the person using a credit card number, the Court concluded that “the statutory scheme and legislative history make it clear the Legislature’s concern that there be some mechanism by which retailers can verify that a person using a credit card is authorized to do so.”
The Court declined to interpret a 2011 revision to the Act, which created an exception for zip code collection in “pay-at-the-pump” gas station transactions, as applying to online transactions. It also pointed to the passage of the 2003 California Online Privacy Protection Act as evidence that, when California wishes to address online privacy and digital transactions, it will do so directly and unambiguously.
The Court ended by stating that, while the Legislature may wish to “revisit the issue of consumer privacy and fraud prevention in online credit card transactions,” it is not the role of the court to opine on public policy, merely “determine what the Legislature intended by the statute it enacted.” Thus, the court held that the Legislature intended to safeguard consumer privacy while also protecting retailers and consumers against fraud, and that “this accommodation of interests… would not be achieved if section 1747.08 were read to apply to online transactions involving electronically downloadable products.” The Court reversed the judgment denying petition for writ of mandate or prohibition and remanded the issue to the Court of Appeals.
There were two dissenting opinions. Judge Kennard bemoaned that the majority ruling permits online sellers of downloadable products to “collect unlimited personal information concerning their credit-card-using customer and sell that information to, or share it with, other companies, which, for marketing purposes, can then construct detailed consumer profiles.” Judge Baxter likewise accused the majority of relying on “speculation and debatable factual assumptions to carve out an expansive exception to section 1747.08 that leaves online retailers free to collect and use the personal identification information of credit card users as they wish.”
This case highlights three major points related to digital media and online privacy. The first, reflected most predominately in the two dissents, is that California is likely to continue to lead in addressing privacy issues around digital media. This is, of course, partly because many tech giants are headquartered there, but it also reflects a growing concern within the state about the data collection and marketing practices being used by digital companies. Issues addressed by California courts will inevitably end up before other jurisdictions in the near future.
The second point is about privacy and digital transactions. With hacking perpetrated by both individuals and institutions on the rise, e-commerce increasingly replacing brick-and-mortar, physical media virtually extinct and new payment systems such as Square in the ascendency, we are likely to see many more cases addressing what information can be collected about consumers. . All companies collecting online data or conducting online or mobile transactions need to watch developments in this area of the law closely.
The final point relates to an overall problem with applying statutes written before the year 2000 to digital technology, companies and behavior. Digital, online and mobile technologies permit new and unprecedented ways for both businesses and consumers to behave.. Possibilities for profitability, creativity, deception and fraud alike are vastly increased, and courts will continue to struggle to apply outdated legislation to quickly shifting behaviors. While this case deals with transactions and privacy, these areas are merely the tip of the iceberg.
Filed in: Digital Media, IP/Internet Transactions, Legal Blog, Start-Ups
March 12, 2013